One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.
The above demonstration remains a proof of concept for now: it has not been observed “in the wild,” and the company has stated that it is aware of the issue. But it is one of a growing number of examples that expose the potential vulnerabilities of internet-connected devices. Until recently, developers seeking to incorporate security and privacy into the design of new devices did not have a common, easy-to-understand model for their efforts.
The Online Trust Alliance is seeking to fill the void with a set of principles for preserving the privacy, security, and sustainability of IoT devices. The IoT Trust Framework (Framework), released last month, is the product of nine months of effort by the IoT Trustworthy Working Group (ITWG), a multi-stakeholder initiative whose membership includes industry associations, technology companies, and research organizations.
The ITWG established an ambitious set of goals for the Framework. By incorporating existing standards from NIST, NTIA, ISO, and industry working groups, the ITWG hopes that the Framework will provide a common blueprint for the development of secure devices with transparent privacy controls. The ITWG also seeks to encourage a robust and collaborative process in which stakeholders share best practices and intelligence about emerging threats. Finally, the ITWG aims to establish a set of measurable criteria by which devices can be assessed.
The Framework is based on the Fair Information Practice Principles (FIPPs) as well as regulatory considerations and best practices from around the world. Its thirty principles, refined with input from nearly 100 organizations, are organized into three categories: security; user access and credentials; and privacy, disclosures, and transparency.
Security. The security principles guide companies to incorporate security at the design stage, then maintain it through regular software updates, continuous threat monitoring, and sound authentication and encryption practices. The principles include the following:
- All IoT devices and associated software should be subjected to a rigorous software development lifecycle, including unit, system, acceptance, and regression testing.
- Authentication credentials, including but not limited to passwords, shall be salted and hashed or encrypted.
- Personally identifiable data in transit and in storage should be encrypted using current generally accepted security standards.
- IoT support sites should implement regular monitoring and continual improvement of site security and server configurations to reduce the impact of vulnerabilities.
User Access and Credentials. The access and credentials principles provide guidelines for setting, using, disabling, and recovering user passwords. The principles include the following:
- Provide unique system-generated or single-use passwords, or alternatively use secure certificate credentials.
- Lock or disable user and device support account(s) after a reasonable number of invalid log-in attempts.
- Provide users notification of password reset or change utilizing secure authentication and/or out-of-band notice(s).
Privacy, Disclosures, and Transparency. The privacy, disclosures, and transparency principles outline the types of information that must be made available, as well as when and how data should be disclosed. The principles include the following:
- Share consumers’ personal data with third parties only with consumers’ affirmative consent, unless required for product or service operation; require that third party service providers be held to the same polices.
- Provide the ability for the user or proxy to delete or anonymize personal/sensitive data stored on company servers (other than purchase transaction history) upon discontinuing, loss or sale of device.
The Framework initially is limited in scope to home automation devices and health and fitness wearable technologies, but its authors anticipate developing the Framework into a code of conduct or certification program shared by device manufacturers, application developers, service providers, and others. The Framework is intended to be consistent with existing laws and regulations, but does not supersede them.
Compliance with the Framework is voluntary. Broad adoption from organizations around the world may establish the Framework as a valuable and much-needed resource for encouraging responsible innovation in the rapidly expanding Internet of Things.